Juniper IPSec Site-to-Site VPN Tunnel Configuration

By David.K

Note:

Refer to the Juniper website on how to access the J-web interface for the first time and configure
SSL Web Access.

Tunnel configuration can be confusing, and a good way to understand it is to keep in mind that just as
there are two phases to tunnel negotiation, there are two phases to tunnel configuration. The following
procedure lists the order in which you must configure an IPSec tunnel if you use J-Web or the CLI editor..
Although you need not follow this sequence when using the CLI configuration editor, I recommend that
you do. If, for example, you go out of sequence and configure a Phase 1 policy before you have
configured a proposal, you cannot easily reference the proposal in the policy because it will not appear in
the interface.

Phase 1

A. Configure IKE Phase 1 proposals

B. Configure IKE policies (and reference the proposals)
C. Configure IKE gateway (and reference the policy)

Phase 2

A. Configure Phase 2 proposals

B. Configure policies (and reference proposals)
C. Configure IPSec Autokey IKE (and reference the policy and gateway).

Now Phase 1 configuration

Configure IKE Phase 1 proposals

In Phase 1 proposal configuration, you must set the authentication method and authentication and
encryption algorithms that will be used to open a secure channel between participants. In this example,
you create an IKE proposal called ike_prop_1 and specify that peers use preshared keys for encryption
and decryption, and that they use Diffie-Helman group 2 to produce the shared secret for the keys. You
specify md5 as the authentication algorithm and 3DES cypher block chaining (CBC) for encryption. And
you specify that after 300 seconds the participants renegotiate a new security association (SA).
Note: When configuring a Phase 1 proposal for the dynamic VPN feature, note that you must set the
authentication method to preshared keys.

To configure Phase 1 proposals you can use either the J-Web or CLI configuration editor.

IKE Phase 1 J-Web Configuration

To configure a Phase 1 proposal in J-Web:

1. Select Configure>CLI Tools>Point and Click CLI.

2. Next to Security, click Configure or Edit.
3. Next to Ike, click Configure or Edit.
4. Next to Proposal, click Add new entry.
5. In the Name box, type Ike_prop_1.
6. From the Authentication algorithm list, select md5.
7. From the Authentication method list, select pre-shared-keys.
8. In the Description box, type new Ike proposal.
9. From the Dh-group list, select group2.
10. From the Encryption algorithm list, select 3des-cbc.
11. In the Lifetime seconds box, type 300 and click OK.
12. To save and commit the configuration, click Commit.

IKE Phase 1 CLI Configuration

To configure a Phase 1 proposal using the CLI editor:

user@host# set security ike proposal ike_prop_1 description "new ike

proposal"
user@host# set security ike proposal ike_prop_1 authentication-method pre-
shared-keys
user@host# set security ike proposal ike_prop_1 dh-group group2
user@host# set security ike proposal ike_prop_1 authentication-algorithm md5
user@host# set security ike proposal ike_prop_1 encryption-algorithm 3des-cbc
user@host# set security ike proposal ike_prop_1 lifetime-seconds 300

Use the following command to display information about IKE proposals:

user@host# show security ike

Configure IKE policies

During policy configuration, you must set the mode in which the Phase 1 channel will be negotiated,
specify the type of key exchange to be used, and reference the Phase 1 proposal. In this example, you
create a policy called ike_pol_1, specify that participants exchange proposals in aggressive mode, and
reference the proposal called ike_prop_1. You specifiy that the preshared key be of type ASCII, and enter
the key.

Note: When configuring an IKE policy for the dynamic VPN feature, note that you must set the mode to
aggressive. Also note that you must use preshared keys rather than manual keys or certificates.

IKE policies J-Web Configuration

To configure an IKE policy in J-Web:

1. Select Configure>CLI Tools>Point and Click CLI.

2. Next to Security, click Configure or Edit.
3. Next to Ike, click Configure or Edit.
4. Next to Policy, click Add new entry.
5. In the Name box, type Ike_pol_1.
6. In the Description box, type new Ike policy.
7. From the Mode box, select aggressive.
8. Next to Pre shared key, click Configure.
9. From the key choice list, select Ascii text.
10. In the Ascii textbox, type $9$UQiqf36A1RSTzRSreXxDik.Tzn/CuBI and click OK.
11. Next to Proposals, click Add new entry.
12. In the Value keyword box, type Ike_prop_1 and click OK.
13. To save and commit the configuration, click Commit.

IKE policies CLI Configuration

To configure and IKE policy using the CLI Editor:

user@host# set security ike policy ike_pol_1 mode aggressive

user@host# set security ike policy ike_pol_1 description "new ike policy"
user@host# set security ike policy ike_pol_1 proposals ike_prop_1
user@host# set security ike policy ike_pol_1 pre-shared-key ascii-text
"$9$UQiqf36A1RSTzRSreXxDik.Tzn/CuBI"

Use the following command to display information about this IKE policy:

user@host# show security ike policy ike_pol_1

Configure IKE gateway (and reference the policy)

When creating the gateway, you must reference the Phase 1 policy. In this example, you create an IKE
gateway called ike_gateway_1, reference the policy ike_pol_1, and configure an IP address for the
gateway. You configure dead peer detection (DPD) to send a DPD request packet when the device has
not received traffic from a peer for 10 seconds, and to consider the peer unavailable after five sequences
of waiting 10 seconds and sending a DPD request packet. You also specify ge-0/0/0 as the outgoing
interface.

IKE gateway J-Web Configuration

To configure an IKE gateway in J-Web:

1. Select Configure>CLI Tools>Point and Click CLI.

2. Next to Security, click Configure or Edit.
3. Next to Ike, click Configure or Edit.
4. Next to Gateway, click Add new entry.
5. In the Gateway name box, type Ike_gateway_1.
6. Next to Dead peer detection, select the check box and click Configure.
7. In the Interval box, type 10.
8. In the Threshold box, type 5 and click OK.
9. In the External interface box, type ge-0/0/0.
10. In the Ike policy box, type ike_pol_1.
11. From the Remote identifier list, select Address.
12. Next to Address, click Add new entry.
13. In the Value box, type 1.1.1.2.
14. To save and commit the configuration, click Commit.

IKE gateway CLI Configuration

To configure an IKE gateway using the CLI editor:

user@host# set security ike gateway ike_gateway_1 ike-policy ike_pol_1

user@host# set security ike gateway ike_gateway_1 address 1.1.1.2
user@host# set security ike gateway ike_gateway_1 dead-peer-detection
interval 10
user@host# set security ike gateway ike_gateway_1 dead-peer-detection
threshold 5
user@host# set security ike gateway ike_gateway_1 external-interface ge-0/0/0

Use the following command to display information about this IKE gateway:

user@host# show security ike gateway ike_gateway_1

Now Phase 2 Configuration

Configure Phase 2 proposals.

In Phase 2 proposal configuration, you must create a proposal, specify a security protocol, and select
authentication and encryption algorithms for the traffic that will flow through the tunnel. In this example,
you create a proposal called ipsec_prop_1, specify ESP as the security protocol, and set hmac-md5-96
as the authentication algorithm and 3des-cbc as the encryption algorithm. You also specify that the
security association (SA) terminate after 1,800 KB of data pass through it.

Phase 2 proposals using J-Web Configuration

To configure an IPsec Phase 2 proposal in J-Web:

1. Select Configure>CLI Tools>Point and Click CLI.

2. Next to Security, click Configure or Edit.
3. Next to Ipsec, click Configure or Edit.
4. Next to Proposal, click Add new entry.
5. In the Name box, type Ipsec_prop_1.
6. From the Authentication algorithm, select hmac-md5-96.
7. In the Description box, type new ipsec proposal.
8. From the Encryption algorithm, select 3des-cbc.
9. In the Lifetime seconds box, type 1800 and click OK.
10. From the Protocol list, select esp.
11. To save and commit the configuration, click Commit.

Phase 2 proposals using CLI Configuration

To configure an IPsec Phase 2 proposal using the CLI editor:

user@host# set security ipsec proposal ipsec_prop_1 description "new ipsec

proposal"
user@host# set security ipsec proposal ipsec_prop_1 protocol esp
user@host# set security ipsec proposal ipsec_prop_1 authentication-algorithm
hmac-md5-96
user@host# set security ipsec proposal ipsec_prop_1 encryption-algorithm
3des-cbc
user@host# set security ipsec proposal ipsec_prop_1 lifetime-seconds 1800

Use the following command to display information about this IKE proposal:

user@host# show security ipsec proposal ipsec_prop_1

Configure policies (and reference proposals).

In Phase 2 IPsec policy configuration, you must create a policy and reference a Phase 2 proposal. In this
example, you create a policy called ipsec_pol_1 and reference the proposal ipsec_prop_1. You also
configure Perfect Forward Secrecy to use Diffie-Hellman Group 2 as the method the device uses to
generate the encryption key.

policies (and reference proposals). Using J-Web Configuration

To configure an IPsec policy in J-Web:

1. Select Configure>CLI Tools>Point and Click CLI.

2. Next to Security, click Configure or Edit.
3. Next to Ipsec, click Configure or Edit.
4. Next to Policy, click Add new entry.
5. In the Name box, type Ipsec_pol_1.
6. In the Description box, type new Ipsec policy.
7. Next to Perfect forward secrecy, click Configure.
8. From the Keys list, select group2 and click OK.
9. Next to Proposals, click Add new entry.
10. In the Value keyword box, type Ipsec_prop_1 and click OK.
11. To save and commit the configuration, click Commit.

policies (and reference proposals). Using CLI Configuration

To configure an IPsec policy using the CLI editor:

user@host# set security ipsec policy ipsec_pol_1 description "new ipsec

policy"
user@host# set security ipsec policy ipsec_pol_1 perfect-forward-secrecy keys
group2
user@host# set security ipsec policy ipsec_pol_1 proposals ipsec_prop_1

Use the following command to display information about this IKE proposal:

user@host# show security ipsec policy ipsec_pol_1

Configure IPsec Autokey IKE (and reference the policy and gateway).
In Phase 2 IPsec AutoKey configuration, you must create a VPN tunnel name, specify a gateway, and
reference a Phase 2 policy. If you are using Route mode, you must bind the tunnel to an interface. In this
example, you create a VPN tunnel named vpn_1 and bind it to interface st0.0, and you specify
ike_gateway_1 as the gateway for the VPN tunnel and reference the IPsec policy ipsec_pol_1.

IPsec Autokey IKE (and reference the policy and gateway). Using J-Web
Configuration

To configure an IPsec Autokey in J-Web:

1. Select Configure>CLI Tools>Point and Click CLI.

2. Next to Security, click Configure or Edit.
3. Next to Ipsec, click Configure or Edit.
4. Next to Vpn, click Add new entry.
5. In the Name box, type vpn_1.
6. In the Bind interface box, type st0.0.
7. From the Negotiation list, select Ike.
8. Next to Ike, click Configure.
9. In the Gateway box, type Ike_gateway_1.
10. In the Ipsec policy box, type Ipsec_pol_1 and click OK.
11. To save and commit the configuration, click Commit.

IPsec Autokey IKE using CLI Configuration

To configure an IPsec Autokey using the CLI editor:

user@host# set security ipsec vpn vpn_1 bind-interface st0.0

user@host# set security ipsec vpn vpn_1 ike gateway ike_gateway_1
user@host# set security ipsec vpn vpn_1 ike ipsec-policy ipsec_pol_1

Use the following command to display information about this IKE proposal:

user@host# show security ipsec vpn vpn_1

Thanks,

By David.K